[R] Virus Alert

(Ted Harding) Ted.Harding at nessie.mcc.ac.uk
Tue Jun 3 12:38:40 CEST 2003 

On 03-Jun-03 Peter Dalgaard BSA wrote:
> It's really difficult to tell who the culprit is because all we're
> seeing are autoreplies from someones system to an infected mail that
> purported to be from r-help.
> 
> The original message headers might be able to tell us who is infected
> (which may or may not be someone on the list, depending on where the
> virus is grabbing its From: headers from).

I don't think there's much mileage in trying to trace origins. The only
clue you're going to get from the autoreply is who it was originally
"To:", and if you do receive an "original" directly (as I have done quite
a few times) then also who it was "From:"; both addresses are faked by
the Sobig.C virus, being harvested from email addresses found on the
originating system. So such messages limit the field to people who have
these addresses in their system. It's possible that you may just manage to
guess who it is from this information, but in general this still leaves
far too big a field of possibilities.

Have a look, for instance, at the appropriate entries
  --> Sobig
  --> Sobig.A (Sobig)
  --> Sobig.B (Palyh)
  --> Sobig.C
under
  http://www.datafellows.com/v-descs/s.shtml
to learn about the modus operandi of the various versions of Sobig.

The "Message-Id:" header is unlikely to be much help either: While mailer
software originating a message is supposed to insert such a header at the
time, these viruses generally don't; and if a mail arrives at a mail-hub
without a "Message-Id:" then the mail-hub will insert its own.

The "helo=..." is useless: this is faked at the time of sending during
the SMTP dialogue that the virus initiates itself (bypassing the user's
own mail-transfer system).

The only thing I can suggest is for Windows users on the list to grab
the latest virus updates for their anti-virus software, and check their
own systems.

And in reassurance to Kurt Sys: A Linux system will not be vulnerable to
this virus since it can only get its teeth into a Windows system. The
message you got (and quoted to the list) you received from R-help (as
I did), since xtra.co.nz thought it had received a virus from r-help, and
replied to the list.

Ted.


--------------------------------------------------------------------
E-Mail: (Ted Harding) <Ted.Harding at nessie.mcc.ac.uk>
Fax-to-email: +44 (0)870 167 1972
Date: 03-Jun-03                                       Time: 11:38:40
------------------------------ XFMail ------------------------------

More information about the R-help mailing list